Package: evince
Version: 43.1-2+b1
Severity: important
Hello,
It seems that the AppArmor profile is not allowing evince to read file
accessed via the GVFS on Google drive (and probably other integrations)
I get the following denials:
type=AVC msg=audit(1674751821.962:528): apparmor="DENIED" operation="open"
profile="/usr/bin/evince"
name="/run/user/1000/gvfs/google-drive:host=example.com,user=foo/<path>"
pid=11026 comm="EvJobScheduler" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000FSUID="bigon" OUID="bigon"
Adding the following rule is allowing me to read my files, but I'm not
sure that enough or consistant with the other rules (shouldn't write
access be allowed too?):
/{,var/}run/user/*/gvfs/** r,
Kind regards,
Laurent Bigonville
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages evince depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.40.0-4
ii evince-common 43.1-2
ii gsettings-desktop-schemas 43.0-1
ii libatk1.0-0 2.46.0-4
ii libc6 2.36-8
ii libcairo-gobject2 1.16.0-7
ii libcairo2 1.16.0-7
ii libevdocument3-4 43.1-2+b1
ii libevview3-3 43.1-2+b1
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libglib2.0-0 2.74.5-1
ii libgnome-desktop-3-20 43.1-1
ii libgtk-3-0 3.24.36-2
ii libhandy-1-0 1.8.0-1
ii libpango-1.0-0 1.50.12+ds-1
ii libpangocairo-1.0-0 1.50.12+ds-1
ii libsecret-1-0 0.20.5-3
ii shared-mime-info 2.2-1
Versions of packages evince recommends:
ii dbus-user-session [default-dbus-session-bus] 1.14.4-1
Versions of packages evince suggests:
ii gvfs 1.50.3-1
pn nautilus-sendto <none>
ii poppler-data 0.4.11-1
pn unrar <none>
-- no debconf information
